Lok Sabha and Supreme Court websites' SSL certificates invalid

The Supreme Court of India and the Lok Sabha’s websites have invalid SSL certificates. While accessing the Supreme Court’s website results in a Privacy Error on most browsers, accessing the Lok Sabha’s website just results in a “Connection Closed” error. An SSL certificate encrypts the content of a webpage being delivered to users, and is usually indicated with a green padlock in a browser’s address bar, followed by https://. SSL certificates are pretty standard for any large website, in both the public and private sectors.

MediaNama has reached out to the National Informatics Centre, which developed and maintains both websites, for comment.

Why an SSL certificate is important

Personal data being submitted to websites is otherwise susceptible to interception or imitation — unless a user is encrypting their entire connection with a virtual private network, ISPs or any party in the middle with access to the connection can steal user data. The Supreme Court and Lok Sabha’s websites are both static, meaning they mostly don’t collect data from users. The Supreme Court has a separate website for e-filing, which has a valid SSL certificate. To access the Supreme Court’s site, a user has to choose to “Proceed anyway” after encountering a privacy error in most browsers. In the Lok Sabha’s case, you’ll need to manually remove the s from the https:// to access the site without SSL encryption.

Diminished security isn’t the only consequence of an SSL certificate being invalid. Google search results usually point users to a version of the site that is SSL-encrypted, which can stonewall users trying to access a misconfigured site. Per Alexa, half the traffic for both sites does indeed come from search results. In the Supreme Court’s case, users must bypass a browser UI that is designed to make them turn back. In the Lok Sabha’s case, they must know to remove the s from the https://.

Indian government and SSL

This is not an isolated incident. Different government websites’ SSL certificates periodically go down, confronting users with errors that wouldn’t happen if the site didn’t install an SSL certificate in the first place. The UIDAI’s Aadhaar enrolment status checking microsite was down for weeks at one point.

To make matters worse, most SSL certificates on government websites are signed by private certificate authorities like DigiCert, as opposed to open-source alternatives like Let’s Encrypt (which doesn’t come with a fee, unlike private CAs). The government even tried to in-house the entire process by setting up its own certificate authority. That initiative came under question following a security incident in 2014, when Google noticed that some users were accessing its site over invalid SSL certificates issued by the National Informatics Centre. What’s worse, those certificates have to be manually trusted by users, which makes deploying them at scale impractical. It has also raised a security concern:

Do not follow such irresponsible advice. This is dangerous. You risk harming yourself. There is a good reason why no major browser recognises the Root Certifying Authority of India. Shame on you, NCIIPC. https://t.co/M8BjCSmo0yhttps://t.co/PCNpwU0r3y